175w ago - PlayStation 3 developers have been busy recently working on payloads for dumping the PS3 per console keys, as once the per_console_key_0 is obtained with full EID decryption dongles and burned BR-D's may be a thing of the past.

Below are details from sphinxkoma and the PS3 Wiki (ps3devwiki.com/index.php?title=Talk:Per_Console_Keys) on dumping the per_console_key_1 via Kaz... it's only a matter of time for per_console_key_0 which unlocks everything we need.

To quote: PS3 Per Console Keys

EID crypto is very complicated, it is done so on purpose. first of all EID0 isn't decrypted with one key, and one algorithm alone. it is decrypted in several parts which use different algos and keys. the keys are all derivations of a per console key (per_console_key_1) which is stored inside metldr and copied by it to sector 0 and never leaves isolation. that same key is a derivation of the per console key (per_console_key_0) used to encrypt metldr and the bl in the first place as well.

isoldr clears that key from sector 0 before jumping to the isolated module. but before doing so it encrypts it with another keyset and stores it in a buffer so that the isolated module can use the new crafted key. since the operation is AES, if you know that keyset you can decrypt the crafted key and get the eid root key without pwning a loader or metldr through an isolated module.

that is not like you really need it because you can already use the crafted key to decrypt some of eid0, but not all of it. and the crafted key also uses the first elf section to be built as in your isolated module will have a small section which only contains a key. and that key is used as another layer by isoldr to encrypt the buffer with it. so basically you have 2 encryption layers over the root key. the final key then decrypts a specific part of the EID.

eid crypto is actually done smart. that is because most of it originally comes from the cell bootrom, as in they reuse the same algo used for metldr binaries and bl in the eid crypto, including some of the keys and the steps. and you cannot decrypt all of the eid sections unless you gathered every single keys and steps. and there are a lot then you still have to figure out wtf it is you decrypted because eid is actually full of keys.

5. It is quite likely to see is not the picture (black screen) but you will hear a distinct sound (like C64) Now things are different feasible:

a. X 4eck then starts with ps3load ethdebug
b. then you will want to circle back to the xmb and invites ethdebug (for Debuging pkg files)

6. Use your ps3load the mode used to send your ps3 dump_eid_root_key.self (ps3load dump_eid_root_key.self) Now you should see debug Terminal in your debugging and then hopefully you'll find the PCK .. (theoretically)

The per console key is used to derive other keys, some of which Sony can't change as this appears to be the bottom of their encryption chain. It's also important to note that this method is intended for dumping per_console_key_1 and per_console_key_n while per_console_key_0 is currently still required.

However to speculate, in future PS3 CFW updates users may need to be on a Custom Firmware to begin with (or downgrade to one first) and then run a .PKG to get their per console encryption key, followed by using it in a PS3 MFW Builder and installing the resulting modified PS3 Firmware on their PlayStation 3 console.

From ps3devwiki.com/index.php?title=Per_Console_Keys#per_console_root_key_0:

metldr is decrypted with this key

bootldr is decrypted with this key

might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)

Finally, from the PlayStation 3 Wiki (ps3devwiki.com/index.php?title=Per_Console_Keys and ps3devwiki.com/index.php?title=Boot_Order#Chain_of_Trust for the PS3 boot order) pages:

Per Console Keys

per_console_root_key_0

metldr is decrypted with this key

bootldr is decrypted with this key

might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)

per_console_root_key_1 / EID_root_key

derived from per_console_key_0

stored inside metldr

copied to sector 0 by metldr

cleared by isoldr

Used to decrypt part of the EID

Used to derive further keys

can be obtained with a modified isoldr that dumps it

can be obtained with a derivation of this key going backwards

obtaining it

launch the patched isoldr with your prefered method

Option 1 - dumper kernel module

modify glevands spp_verifier_direct to dump the mbox to wherever_you_want and then (use the payload below as an example)

the example code on how to dump the mbox can be found on the Option 2 - dumper payload below

Use glevand's tools, spp_verifier_direct to be specific: "spp_verifier_direct is a kernel module which shows you how to run isolated SPE modules on OtherOS++ Linux by using metldr directly.

It decrypts default.spp profile.

Once you get the eid rootkey, load aim_spu_module.self with eid0 and the eid root key within anergistics it will decrypt it.

You can modify it easily to run other SPE modules.

Has been done and tested on 3.41 and 3.55 (not by myself)

So yes, you can obtain the eid rootkey and partially decrypt the eid0, but the problem if you want to modify the eid0 (say... to get a DEX idps to convert CEX=>DEX (which doesnt have much got use for end-users, only devs)) then you'd need to re-encrypt the EID0, which you can't. Not with those keys at least.

Oh, and while PS3 rootkeys are per console, and usually FW independent. However I dont know about 3.6+ because I didn't test it on it. But it might be true that 3.6+ eid rootkey have changed since $ony changed a load of keys with 3.6+. So using the 3.55 eid_root_key on 3.6+ to decrypt anything probably wont work.

Sony PlayStation 3 hacker moogie301 states the following on this via Twitter: "There are 3 per console keys. it tells you how to obtain 2 (per console key 1 and per console key n) not THE root key. It will not lead to a new CFW, it is fun for devs, you can decrypt a lot of eid and reverse it.. it is not newb friendly at all."

PlayStation 3 hacker defyboy has also added the following: "I don't think this is a step closer to discovering the per-console root key. The EID root key is generated at factory and incorporated into metldr. metldr is encrypted with your per-console root key and stored on flash. Please note that while it is speculated that the EID root key is a derivative of the root key, that does not mean that it can be used to calculate the root key. Infact, being able to do so is idiotically counter-intuitive of the purpose of having two separate keys.

The per-console root key is likely burnt into the CPU via One Time Programming over the JTAG port, of which is disabled after programming. There is a hardware decryption routine that uses this key called Runtime Secure Boot, you cannot access or invoke this routine because it only runs when you load an encrypted image into an isolated SPU.

This is IBM's design, not sony's. This was designed to be a very secure multi-purpose processor and it was designed by a company that designs security and military systems for governments and large organizations, not a company that mostly makes consumer grade TV's and DVD Players. It was Sony's implementation of the secure chain of trust that failed but I don't see IBM's part failing anytime soon.

Anyway, Sony cannot change metldr or bootldr on current hardware so they no longer have control of those, we only need to dump bootldr to get the lv0 key, this is the highest level sony can change. If we get the lv0 key we can generate a private key where we will be able to decrypt/re-encrypt the entire chain of firmware for current/future firmware."

The Per Console Key in the Cell decrypts bootldr, which is encrypted with the PCK. Bootldr decrypted is the same in EVERY console to date (except possibly the 3K series). When bootldr decrypts lv0, bootldr will be as if it were nowhere to be found. Then you go from there to the Chain of Trust.

Below is Gitbrew's feedback on the PS3 Per Console Key and future developments from them, as follows:

what do you think about the new method of getting the per_console_key?

Durandal: Glevand and many others have been working feverishly to develop methods of obtaining this key. It's nice to see it's paid off. I'm looking forward to a day when the PS3 is as open a development as the PSP.

Snowy: One step closer, sooner or later ibm is going to finally send a cease and desist. We'll put that right up next to dasmoovers sign.

Do you have anyone working on an easy to use tool for the key? we are already used to gitbrew pkgs

Durandal: If we weren't, we'd have to quit gitbrew and join PS360...

Snowy: I'm pretty sure anything related to the rootkey, we might leave out just so that people actually learn how to get their own keys. As a sort of accomplishment type thing, but eventually there will be simple pkg files released to do it.

What next projects are we going to see from gitbrew regarding the ps3 scene? can we see some sort of "one day one announcement", like you did a couple of weeks ago?

Durandal: Well RSX is taken care of, NPDRM is getting very close to being irrelevant, and I've heard there's almost usable versions of psl1ght floating around. I guess the next really big thing you'll see is the release of the gitSkeet flasher.

We teamed up with progskeet and rebug to create a special edition of the progskeet2 that will have solderless clips and the kind of support and documentation only gitbrew is capable of providing. It also gives us an opportunity to branch out into the actual hardware exploitation as well. As far as having announcement a day weeks, expect to see more of them in the not so distant future.

What is your thought on the recent discoveries on the ps3 scene?

The new jb2 dongle AKA true blue.

Durandal: I'm always very wary of dongles. Usually they're just a ploy to make a buck, and these days it doesn't take long for someone to reverse what the software they're trying to hide does. Expect to see the same happen here. If we want to deter others from trying to peddle their software in a dongle form, we should make a point of reversing a dongle's functionality
and implementing it in a package. I'm sure that group paid a lot of money to get all those dongles made, and they'd hate to see that money go to waste.

Snowy: Yet again as durandal said, dongles are dongles, regardless someone is going to take a crack at them and release a free version of it. Cobra hasn't even been touched by most of the developers, and those who have touched it don't really care for piracy. I would like to thank dean for taking the first step in making psx backups working though, a small step but none the less towards the proper direction for the scene.

Finally, FiniteElement via ps3devwiki.com/index.php?title=Special:Contributions/FiniteElement states the following hint for those interested, to quote: "(you have all you need already just read carefully (compare option2 code with the kernel module code))

Reportedly it allows users to play v3.6+ PlayStation 3 Firmware titles including FIFA 12 on burned Blu-ray discs, however, it only allows running older PS3 games from the hard drive.

To quote: I live in indonesia, and here in my country, there is a hot rumor about new dongle called JB2 and can play 3.60+ game burned to Blank BD.. It also still can play from HDD...

It require us still on 3.55 (not cfw), use the dongle (without power eject), and it will boot the ps3, then you can insert the copied / pirated bd disc. It already being sold and my friend also the sellers already confirmed it can play FIFA 12 and PES 12 and more game coming soon

I attached all the pics

Curent game:

PES 2012

FIFA 2012

Driver San francisco

God of War Origins

X-Men Destiny

Sniper Ghost Warrior

Upcoming:

Resistance 3

Disgaea 4

Batman Arkham City

Finally, according to GaryOPA the PS3 JB2 (JailBreak 2) device is genuine and will allow games that require the v3.6+ keys to run (including FIFA 12) providing the following requirements are met:

Console must be on PS3 Firmware v3.55 (Official Sony Firmware)

PS3 JB2 USB dongle must be used

PS3 games must be burned to BD-R (Blu-ray) discs

He also states the following on the upcoming PS3 JB2 (JailBreak 2) device:

Retail Price of the JB2 dongle will be around $45

A lot more newer PS3 game titles then originally listed below are now working, and have been confirmed by one of our trusted sponsors.

You be able to burn the special game discs yourself, that are used by the JB2 design, and details on how & why will be coming by next week.

PS3 JB2 Dongle FAQ

Q: what is JB2?
A: the latest Dongle can mainin game2x yg 3.60 + via BD copy, not a hdd

Q: does the same with JB before?
A: different once, so it cannot be used

playing pirated create game2x pake BD + 3.60, tp game2x long under 3.60 can still be played on the HDD

Get back and forth Dr. kmeaw-dongle-kmeaw, tp do not need to return to kmeaw krn dongle can play via hdd for game2x under fw 3.60

Q: there are how many game compatible with yg 3.60 fw dongle?
A: according to the information there is 33 games, while there is a new BD tp pirated PES 2012 and 2012 FIFA aja, pirated games others following the BD

Q: what price dongle JB2 and the price of BD bajakannya?
A: the price dongle between 400-550rb and BD copyan/pirated between 50,75 or under $ 10 depending on the area and seller masing2x

Q: apa aja yg hrs Rituals performed before using the JB2? by elison007

1. Can’t play with original game / higher firmware require (I’ve tried pes 2012 original game , but update software needed)
2. You Still can play from external HDD as ussual.
3. Can’t back up “copy game” with multiman.
4. Can’t play “copy game” without dongle.

Available games:

Fifa 2012,

Pes 2012,

Driver san Fransisco,

God of war Origin,

X-men Destiny.

Sniper ghost warrior

What you need to do is:

Make sure your PS3 firmware is 3.55 below

Update your PS3 OFW or CFW with new one (i will provide with burning disc).

Need to go recovery mode to update if you from 3.55

After update complete turn off ps3

Put your usb dongle

Turn on ps3

Insert bd “copy game”

Play from bluray icon from xmb

Available games:

Fifa 2012

Pes 2012

Driver san Fransisco

God of war Origin

X-men Destiny

Sniper ghost warrior

Price:

USB dongle is $50

BD game is $10

Shipping cost: send me your country + city and postal code, i will inform you later

Dongle Updater v1.0

In order to play this game disc, both your PS3 and dongle must be updated. After the process has completed, your PS3 will be running system software version 3.55.

After the update, your PS3 will have new features available and will retain compatibility with all previous software, however, you will be unable to revert either your PS3 or the dongle to an earlier software version. If you do not wish to apply these updates, then you will be unable to use this game disc.

Do you want to proceed with the update? The first stage will update your dongle.

After the first stage has completed, remove the disc and the PS3 will restart.

Re-insert the disc, and once again run the "Updater" software from the disc.

This time you will be told that you must update the PS3 system software.

Select "OK" and then follow the on-screen directions.

Once the system software update process has completed the PS3 will restart, you will be on firmware version 3.55 and you may then load this game disc. Updating dongle..

Dongle update completed successfully!

ERROR: Unable to communicate with dongle!

ERROR: Dongle update failed!

ERROR: Unable to unlock flash!

The system will now shut down.

More PS3 JB2 details will be added to this article as they become available!